Google Calendar MCP — agentic threat model
The Google Calendar MCP tool presents moderate-to-high risk due to its write capabilities (creating/deleting events and inviting external attendees) via OAuth. Without strict human-in-the-loop controls, a compromised or prompt-injected orchestrator could exploit this tool for calendar-invite phishing or data destruction.
OWASP AIVSS score rationale
| Autonomy of Action | 0.60 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.30 | |
| Dynamic Identity | 0.50 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The listing describes an MCP tool rather than the foundation model itself. However, the model calling this tool is vulnerable to prompt injection, which could force unauthorized calendar modifications or spam invitations.
Not certain from the listing — While the tool reads and writes Google Calendar data, the listing does not specify how this data is cached, embedded, or processed locally, leaving potential data exfiltration or lineage gaps unaddressed.
The tool integrates via the Model Context Protocol (MCP). Insecure tool integration or lack of strict schema validation could allow an orchestrator to misuse the write/delete capabilities, leading to unintended calendar modifications.
Not certain from the listing — The hosting environment of the MCP server and the storage mechanism for OAuth client secrets and user tokens are not detailed, posing risks of credential theft if poorly secured.
Not certain from the listing — There is no mention of built-in guardrails, rate limiting, or logging mechanisms to detect anomalous behavior such as mass event deletions or rapid external invitations.
The tool leverages OAuth for authentication and authorization. While this secures the connection to Google APIs, the broad write permissions granted to the agent create a compliance and security risk if not paired with fine-grained user consent.
As an MCP tool designed to be called by other AI agents, it is highly exposed to agent-to-agent trust abuse. A compromised upstream agent could leverage this tool to conduct calendar-invite phishing attacks against external organizations.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).